From d3008b03ae4e833078093f8b69e59c9845b1a270 Mon Sep 17 00:00:00 2001
From: Ed Merks <ed.merks@gmail.com>
Date: Thu, 23 May 2024 11:14:13 +0200
Subject: [PATCH] Improve SignRepositoryArtifactsMojo handling of unsigned
 content

- Treat content that is signed outside of the signing certificate's
validity range as unsigned.
---
 .../org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java b/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java
index 62639d8486..3e5ad18fd1 100644
--- a/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java
+++ b/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java
@@ -252,6 +252,13 @@ private void handle(IArtifactDescriptor artifactDescriptor, File artifact, Proxy
                     try {
                         var signedContent = signedContentFactory.getSignedContent(artifact);
                         if (signedContent.isSigned()) {
+                            for (var signerInfo : signedContent.getSignerInfos()) {
+                                // Check that the signature was produced within the validity range of the certificate.
+                                // If not, this call throws CertificateExpiredException or CertificateNotYetValidException.
+                                // That ensures we continue the logic that follows as if the content were not signed.
+                                signedContent.checkValidity(signerInfo);
+                            }
+
                             if (skipIfJarsigned) {
                                 return;
                             }